Linux Help Desk

Linux Help Desk

Tuesday, May 19, 2015

How to configure Amavisd,SpamAssassin with postfix in centos 6.5

1) configure amavisd to accept mail from MTA and pass it to ClamAV and SpamAssassin for checking
2) return it back to MTA for delivery
3) Amavisd will use lmtp listening on TCP port 10024 to accept mail from MTA and then pass it to ClamAV using a locScanned mail al UNIX socket and SpamAssassin using the Mail::SpamAssassin Perl module.
4) will be returned to MTA using smtp on TCP port 10025 for delivery.

1. Introduction of SpamAssassin and Amavisd-new
a. Amavisd-new (www.ijs.si/software/amavisd/)
§  a reliable high-performance interface between an email server (MTA) and content checkers like virus scanners
§  supports both (E)SMTP and LMTP protocols as well as UNIX sockets for communicating with the MTA and content checkers.
§  use dedicated helper programs such as the Mail::SpamAssassin Perl module.
§  supports a number of MTA's.
b. SpamAssassin (spamassassin.apache.org)
§    Be used for e-mail spam filtering based on content-matching rules.
§    uses a variety of spam-detection techniques, that includes DNS-based and fuzzy-checksum-based spam detection, Bayesian filtering, external programs, blacklists and online databases.
§    can be integrated with the mail server to automatically filter all mail for a site.
§    awarded the Linux New Media Award 2006 as the "Best Linux-based Anti-spam Solution".

2. Packages installation
# rpm –qa | grep rpmforge
# yum install amavisd-new spamassassin –y
# rpm –qa | grep amavisd-new spamassassin
# chkconfig amavisd on; chkconfig spamassassin on
# chkconfig --list | grep "amavisd\|spamassassin“

3. Configuration
a. Spamassassin
# vi /etc/mail/spamassassin/local.cf
required_hits  5
# spamassassin --lint                             //syntax checking
b. Amavisd-new
# vi /etc/amavisd/amavisd.conf
$max_servers = 2;                        # num of pre-forked children (2..30 is common), -m
$daemon_user  = "amavis";            # (no default;  customary: vscan or amavis), -u
$daemon_group = "amavis";           # (no default;  customary: vscan or amavis), -g
$inet_socket_port = 10024;              # listen on this local TCP port(s)
$mydomain = ‘chul.com';                                  # Edit: a convenient default for other settings
$myhostname = ‘server.chul.com';
$virus_admin               = “tland\@$mydomain";               # notifications recip.
$mailfrom_notify_admin     = "virusalert\@$mydomain";         # notifications sender
$mailfrom_notify_recip     = "virusalert\@$mydomain";           # notifications sender
$mailfrom_notify_spamadmin = "spam.police\@$mydomain";       # notifications sender
['ClamAV-clamd', 380     \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],


c. Postfix

# vi /etc/postfix/main.cf

content_filter=amavisfeed:[127.0.0.1]:10024

# vi /etc/postfix/master.cf
 amavisfeed unix    -       -       n        -      2     lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
127.0.0.1:10025 inet n    -       n       -       -     smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
    -o local_header_rewrite_clients=
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=
4. Service startup and connection test
a. Service startup
# service amavisd start
# service postfix restart; service spamassassin start
# ps –ef | grep amavis
# ps –ef | grep spamd
# netstat –nat | grep 10024
# netstat –nat | grep 10025
b. Connect to amavisd and smtpd port
# telnet localhost 10024
# telnet localhost 10025

Sunday, May 17, 2015

How to Add a User with Grant Root Privileges on CentOS 6.5

Pre-Flight Check

    These instructions are intended specifically for adding a user on CentOS 6.5.
    I’ll be working from a Liquid Web Core Managed CentOS 6.5 server, and I’ll be logged in as root.

Step 1: Add the User

It’s just one simple command to add a user. In this case, we’re adding a user called admin :

#adduser admin
Now set the password for the new user:

#passwd admin
Step 2: Grant Root Privileges to the User

For a refresher on editing files with vim see: New User Tutorial: Overview of the Vim Text Editor

#visudo

Find the following code:

## Allow root to run any commands anywhere
root ALL=(ALL) ALL

In this case, we’re granting root privileges to the user admin . Add the following below that code:

admin ALL=(ALL) ALL

Then exit and save the file with the command :wq .

If you’ve followed the instruction above correctly, then you should now have a user setup by the name of admin which can use sudo to run commands as root!

Saturday, May 9, 2015

How to install DKIM with OpenDKIM and Postfix in CentOS 6

What is OpenDKIM?

It is a digital email signing/verification technology, which is already supported by some common mail providers. In general, DKIM means digitally signing all messages on the mail-server to verify the message was actually sent from the domain in question and was not spam

UPDATE THE SYSTEM

Before going any further, make sure you’re in a screen session and your system is fully up-to-date by running:

## screen -U -S opendkim-screen
## yum update

ENABLE EPEL REPOSITORY

OpenDKIM is available in the EPEL repository, so we need to enable it on the system before we can install OpenDKIM

CentOS 6.x
wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/ius-release-1.0-13.ius.centos6.noarch.rpm
sudo rpm -Uvh ius-release*.rpm

CentOS 7.x
wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/7/x86_64/ius-release-1.0-13.ius.centos7.noarch.rpm
sudo rpm -Uvh ius-release*.rpm

INSTALL OPENDKIM

Install the package using yum:

## yum install opendkim

CONFIGURE OPENDKIM

Next thing to do is to configure OpenDKIM. Its main configuration file is located in /etc/opendkim.conf, so before making any changes create a backup and add/edit the following:

## cp /etc/opendkim.conf{,.orig}
## vim /etc/opendkim.conf

AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    s
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

SET-UP PUBLIC/PRIVATE KEYS

Generate set of keys for your mydomain.com domain name:

## mkdir /etc/opendkim/keys/mydomain.com
## opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s default
## chown -R opendkim: /etc/opendkim/keys/mydomain.com
## mv /etc/opendkim/keys/mydomain.com/default.private /etc/opendkim/keys/mydomain.com/default

add mydomain.com to OpenDKIM’s key table by adding the following record in /etc/opendkim/KeyTable

default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default

next, edit /etc/opendkim/SigningTable and add the following record to OpenDKIM’s signing table:

*@mydomain.com default._domainkey.mydomain.com

and add your domain and your hostname as trusted hosts in /etc/opendkim/TrustedHosts:

127.0.0.1
mydomain.com
host.mydomain.com

assuming the domain in question is ‘mydomain.com’ and server’s hostname is set to ‘host.mydomain.com’

finally, edit your mydomain.com DNS zone and add the TXT record from /etc/opendkim/keys/mydomain.com/default.txt

default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB" )  ; ----- DKIM key default for mydomain.com

it is also a good idea to add an SPF record if you haven’t already

mydomain.com. 14400 IN TXT "v=spf1 a mx ~all"

you can verify your dkim TXT record is valid using dig for example:

## dig +short default._domainkey.mydomain.com TXT

"v=DKIM1\; k=rsa\; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB"

CONFIGURE POSTFIX

In order to integrate OpenDKIM with Postfix we need to add the following few lines in /etc/postfix/main.cf:

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2

(RE)START SERVICES

Add OpenDKIM to your system’s start-up and start opendkim and restart postfix using the following commands:

## service opendkim start
## chkconfig opendkim on
## service postfix restart

TEST THE SET-UP

To test the set-up simply send an email to check-auth@verifier.port25.com and you should receive back an email containing something like this:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
DKIM check:         pass